CVE-2024-55661 – laravel/pulse

Package

Manager: composer
Name: laravel/pulse
Vulnerable Version: >=0 <1.3.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:H/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.02793 pctl0.85547

Details

Laravel Pulse Allows Remote Code Execution via Unprotected Query Method A vulnerability has been discovered in Laravel Pulse that could allow remote code execution through the public `remember()` method in the `Laravel\Pulse\Livewire\Concerns\RemembersQueries` trait. This method is accessible via Livewire components and can be exploited to call arbitrary callables within the application. ### Impact An authenticated user with access to Laravel Pulse dashboard can execute arbitrary code by calling any function or static method that meets the following criteria: - The callable is a function or static method - The callable has no parameters or no strict parameter types ### Vulnerable Components - The `remember(callable $query, string $key = '')` method in `Laravel\Pulse\Livewire\Concerns\RemembersQueries` - Affects all Pulse card components that use this trait ### Attack Vectors The vulnerability can be exploited through Livewire component interactions, for example: ```php wire:click="remember('\\Illuminate\\Support\\Facades\\Config::all', 'config')" ``` ### Credit Thank you to Jeremy Angele for reporting this vulnerability.

Metadata

Created: 2024-12-13T20:35:43Z
Modified: 2024-12-17T18:07:21Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-8vwh-pr89-4mw2/GHSA-8vwh-pr89-4mw2.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-8vwh-pr89-4mw2
Finding: F422
Auto approve: 1